Google and Facebook have confirmed that they fell victim to an alleged $ 100m ( £77m ) scam . In March , it was reported that a Lithuanian man had been charged over an email phishing attack Attack.Phishing against `` two US-based internet companies '' that were not named at the time . They had allegedly been tricked Attack.Phishing into wiring more than $ 100m to the alleged scammer 's bank accounts . On 27 April , Fortune reported that the two victims were Facebook and Google . The man accused of being behind the scam , Evaldas Rimasauskas , 48 , allegedly posed as Attack.Phishing an Asia-based manufacturer and deceived Attack.Phishing the companies from at least 2013 until 2015 . `` Fraudulent phishing emails were sent Attack.Phishing to employees and agents of the victim companies , which regularly conducted multimillion-dollar transactions with [ the Asian ] company , '' the US Department of Justice ( DOJ ) said in March . These emails purported to be from Attack.Phishing employees of the Asia-based firm , the DOJ alleged , and were sent from Attack.Phishing email accounts designed to look like Attack.Phishing they had come from Attack.Phishing the company , but in fact had not . The DOJ also accused Mr Rimasauskas of forging Attack.Phishing invoices , contracts and letters `` that falsely appeared Attack.Phishing to have been executed and signed by executives and agents of the victim companies '' . `` We detected this fraud against our vendor management team and promptly alerted the authorities , '' a spokeswoman for Google said in a statement . `` We recouped the funds and we 're pleased this matter is resolved . '' However , the firm did not reveal how much money it had transferred and recouped . Nor did Facebook - but a spokeswoman said : `` Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation . ''

Following the news that a Lithuanian man had been charged over an email phishing scam attack Attack.Phishing against `` two US-based internet companies '' whose identities were not disclosed , it has been recently confirmed that the two companies involved were actually tech giants Google and Facebook . In a report published April 27 , Fortune disclosed the identities of both companies . The companies had been tricked Attack.Phishing into wiring over US $ 100 million to the alleged scammer ’ s bank accounts . Evaldas Rimasauskas , 48 , purportedly posed as Attack.Phishing an Asia-based manufacturer and deceived Attack.Phishing the two companies from at least 2013 to 2015 . `` Fraudulent phishing emails were sent to Attack.Phishing employees and agents of the victim companies , which regularly conducted multimillion-dollar transactions with [ the Asian ] company , '' the US Department of Justice ( DOJ ) said . The DOJ alleged that emails supposedly from the employees of said Asian manufacturer were sent from Attack.Phishing email accounts designed to look like Attack.Phishing they were actually from the firm . Rimasauskas was charged by the DOJ in March of sending Attack.Phishing the forged emails , as well as for fabricating invoices , contracts and letters `` that falsely appeared Attack.Phishing to have been executed and signed by executives and agents of the victim companies . '' `` We detected this fraud against our vendor management team and promptly alerted the authorities , '' a spokesperson for Google said in a statement . `` We recouped the funds and we 're pleased this matter is resolved . '' `` Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation , '' a representative from Facebook said . The BBC reported that neither Google nor Facebook revealed how much money they had transferred , or how much they recouped following the incident . While the two companies have advanced cybersecurity measures in place , the phishing attacks Attack.Phishing targeted individuals through their emails — attacks that could have been avoided through proper verification of dubious payment requests . `` Sometimes staff [ at large firms ] think that they are defended , that security is n't part of their job , '' James Maude of cyber-security firm Avecto told the BBC . `` But people are part of the best security you can have — that 's why you have to train them . ''

In examples uncovered by Check Point , the emails were made to look like Attack.Phishing they were sent from Attack.Phishing a tax agency , and ostensibly warn the recipients about inconsistencies in their tax returns . The attached file ( Dokument.zip ) they are instructed to open is made to look like Attack.Phishing a document file , but is actually an application . If the victim downloads and opens it , it will perform a myriad of silent changes on the target machine , all geared towards setting up a malicious proxy server , which will allow the attacker to gain complete access to all victim communication . “ [ The malware ] uses sophisticated means to monitor—and potentially alter—all HTTP and HTTPS traffic to and from the infected Mac . This means that the malware is capable , for example , of capturing account credentials for any website users log into , which offers many opportunities for theft of cash and data , ” Malwarebytes researchers explained . “ Further , OSX.Dok could modify the data being sent and received for the purpose of redirecting users to malicious websites in place of legitimate ones. ” In another instance , unearthed by Malwarebytes , another variant of the same dropper doesn ’ t do the fake “ OS X Updates Available ” routine , but installs an open source backdoor named Bella , generally available from GitHub . The software is a Python script capable of extracting Attack.Databreach a wide variety of sensitive data from macOS machines ( passwords , keychain , screenshots , location data , iMessage and SMS chat transcripts , etc. ) . This version of the script has been configured to connect to a C & C server in Moscow . “ Business users should be aware that this malware could exfiltrate Attack.Databreach a large amount of company data , including passwords , code signing certificates , hardware locations and much more . If you ’ ve been infected , contact your IT department , ” the researchers advised , and noted that it is unknown whether there is any connection between Noah , the author of Bella , and the creators of the OSX.Dok malware . “ Bella may simply have been used by unrelated hackers since it is freely available as open-source software , ” they pointed out . Well , the valid developer certificate that has been used to sign the malware has been revoked by Apple , so potential new victims won ’ t be able to open the app and get infected . Of course , future versions of the malware could be signed with another , likely stolen , developer certificate . In the meantime , though , users who have been successfully hit with OSX.Dok are advised to either erase the hard drive and restore the system from a backup made prior to infection , or get help in cleaning the machine from an expert . “ Removal of the malware can be accomplished by simply removing the two [ malicious ] LaunchAgents files , but there are many leftovers and modifications to the system that can not be as easily reversed . Changes to the sudoers file should be reversed and a knowledgeable user can easily do so using a good text editor ( like BBEdit ) , but making the wrong changes to that file can cause serious problems , ” they noted . The bad certificate should also be removed , and so should a LaunchAgents file named homebrew.mxcl.tor.plist . But , according to them , “ the numerous legitimate command-line tools installed , consisting of tens of thousands of files , can not be easily removed . ”

DocuSign , a major provider of electronic signature technology , acknowledged today that a series of recent malware phishing attacks Attack.Phishing targeting its customers and users was the result of a data breach Attack.Databreach at one of its computer systems . The company stresses that the data stolen Attack.Databreach was limited to customer and user email addresses , but the incident is especially dangerous because it allows attackers to target users who may already be expecting to click on links in emails from DocuSign . San Francisco-based DocuSign warned on May 9 that it was tracking Attack.Phishing a malicious email campaign where the subject line reads , “ Completed : docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature. ” The missives contained a link to a downloadable Microsoft Word document that harbored malware . The company said at the time that the messages were not associated with DocuSign , and that they were sent from Attack.Phishing a malicious third-party using DocuSign branding in the headers and body of the email . But in an update late Monday , DocuSign confirmed that this malicious third party was able to send Attack.Phishing the messages to customers and users because it had broken in and stolen Attack.Databreach DocuSign ’ s list of customers and users . “ As part of our ongoing investigation , today we confirmed that a malicious third party had gained temporary access Attack.Databreach to a separate , non-core system that allows us to communicate service-related announcements to users via email , ” DocuSign wrote in an alert posted to its site . “ A complete forensic analysis has confirmed that only email addresses were accessed Attack.Databreach ; no names , physical addresses , passwords , social security numbers , credit card data or other information was accessed Attack.Databreach . No content or any customer documents sent through DocuSign ’ s eSignature system was accessed Attack.Databreach ; and DocuSign ’ s core eSignature service , envelopes and customer documents and data remain secure. ” The company is asking people to forward any suspicious emails related to DocuSign to spam @ docusign.com , and then to delete the missives . “ They may appear suspicious because you don ’ t recognize the sender , weren ’ t expecting a document to sign , contain misspellings ( like “ docusgn.com ” without an ‘ i ’ or @ docus.com ) , contain an attachment , or direct you to a link that starts with anything other than https : //www.docusign.com or https : //www.docusign.net , ” reads the advisory . If you have reason to expect a DocuSign document via email , don ’ t respond to an email that looks like Attack.Phishing it ’ s from DocuSign by clicking a link in the message . When in doubt , access your documents directly by visiting docusign.com , and entering the unique security code included at the bottom of every legitimate DocuSign email . DocuSign says it will never ask recipients to open a PDF , Office document or ZIP file in an email . DocuSign was already a perennial target for phishers and malware writers , but this incident is likely to intensify attacks against its users and customers . DocuSign says it has more than 100 million users , and it seems all but certain that the criminals who stole Attack.Databreach the company ’ s customer email list are going to be putting it to nefarious use for some time to come .